Results 1 to 6 of 6

Thread: MS04-22 Exploits

  1. August 2nd, 2004, 09:53 AM #1
    dynamoo
    dynamoo is offline
    Member dynamoo's Avatar
    Join Date
    Aug 2001
    Posts
    80

    MS04-22 Exploits

    The ISC is reporting that there's some exploit code available for MS04-22. But I have to admit that I'm still scratching my head on understanding the nature of this security vulnerability.

    I've re-read the MS bulletin several times and despite warnings of "remote code execution" it seems to me that the only way of infecting a machine is to send a specially crafted .JOB file to the target PC, presumably via email or some other mechanism. In which case, surely the exploit for this is basically a standard email-based virus rather than a Sasser/Blaster-like worm?

    And if the only way to infect a machine is to send a .JOB file through email, then surely a quick and easy defense is to block .JOB files on your mail system? Yes, I know you should patch systems with the relevant KB841873 update but like a lot of real-world organisations it's hard to get 100% of systems patched and secured.

    So am I misunderstanding the potential attack vector for MS04-22, or is it really not as bad as some of the reports suggest?

    Incidentally, Foundstone have a scanner for this vulnerability here .
    Reply With Quote Reply With Quote
  2. August 2nd, 2004, 10:22 AM #2
    SirDice
    SirDice is offline
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Don't forget you can also "remotely" exploit machines by placing a .job file on a fileshare and enticing an admin to open that directory.


    Note: Yeah, 1000 posts
    Oliver's Law:
    Experience is something you don't get until just after you need it.
    Reply With Quote Reply With Quote
  3. August 2nd, 2004, 10:45 AM #3
    dynamoo
    dynamoo is offline
    Member dynamoo's Avatar
    Join Date
    Aug 2001
    Posts
    80
    Just by viewing the directory?
    Reply With Quote Reply With Quote
  4. August 2nd, 2004, 10:51 AM #4
    SirDice
    SirDice is offline
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    In some circumstances the overflow is triggered automatically when viewing the directory that contains the job file in an explorer window due to the fact that 'shell32.dll' will detect the '.job' file extension, and load 'mstask.dll' allowing the module to examine the file, which is when the overflow occurs.
    From http://www.nextgenss.com/advisories/mstaskjob.txt
    Oliver's Law:
    Experience is something you don't get until just after you need it.
    Reply With Quote Reply With Quote
  5. August 2nd, 2004, 12:12 PM #5
    dynamoo
    dynamoo is offline
    Member dynamoo's Avatar
    Join Date
    Aug 2001
    Posts
    80
    OK.. yes, I can see that would be a problem.

    So, a possible attack mechanism would be to use a standard mass-mailing virus with a .JOB exploit dropper that could then replicate through shares (e.g. on a corporate network).

    I guess it's not quite script kiddie stuff though, but using a virus to drop another application/trojan on the victim's PC is fairly common.


    Added: congrats on 1000 posts btw
    Reply With Quote Reply With Quote
  6. August 2nd, 2004, 12:29 PM #6
    SirDice
    SirDice is offline
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    This one's a bit more dangerous though as you don't need to start anything, just viewing the directory can be enough to get you infected.
    Oliver's Law:
    Experience is something you don't get until just after you need it.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules